Council of Ministers Meeting Advances Proposed Regulation One Step Farther

The meeting of the EU Justice and Home Affairs Council in Brussels on December 4 brought the curtain down on a tumultuous year for all involved in negotiating the proposed General Data Protection Regulation.

With the European Commission and the European Parliament eagerly awaiting the start of “trilogue” negotiations to finalize the regulation, all eyes were on the Council of Ministers to see whether they could build on the incremental agreements made under the Greek and Italian EU Council presidencies during 2014. Could the Italians demonstrate concrete progress on the enduring issues of public-sector flexibility and the regulatory “one-stop shop” before the end of their presidency?

With “by 2015” now widely seen as the deadline for agreeing to the regulation , although this is now interpreted as meaning by the end of 2015, the Italians were keen to hand over the file to the incoming Latvian presidency in good shape.

A Flexible Approach for the Public Sector

The meeting certainly got off to a good start for the presidency with the ministers agreeing to a “partial general approach” on member state flexibility for the public sector. Partial general approach agreements on this regulation have always been subject to the condition that “nothing is agreed until everything is agreed.” However, it was significant that the European Commission, Germany, France, the UK and most other member states gave their backing to the presidency’s proposals, albeit with some details still to be ironed out.

For example, Germany wanted to make sure that the processing of police and criminal justice data did not fall within the scope of the regulation, noting there should be no overlap with the proposed data protection directive that also remains under negotiation. It was also important that member states could maintain “higher” domestic data protection standards in the public sector, even though this would represent a shift away from the harmonizing nature of this legislation. Some may see this as a “directivization” of the regulation.

This notion was underlined by several member states that observed some of the "flexible" provisions in the regulation should also apply to the private sector. This would effectively undermine the European Commission’s original aim of harmonized rules for businesses. Indeed, Austria and Slovenia declared that there was no proper solution on the power of member states to adopt rules on private data, particularly with regards to workers’ protections. On this basis, they could not agree to a partial general approach. Although Hungary also backed this declaration, the presidency ultimately confirmed the council’s majority support for its proposals on public-sector flexibility. This appeared to draw to a close, for now at least, what had been a problematic issue for the council over the last three years.

One-Stop Shop? Or Many Stops, Many Shops?

The ministers subsequently held a nonbinding “orientation debate” on what is generally recognized as a cornerstone of the proposed regulation: the “one-stop shop” and the associated “consistency mechanism.” These aim to ensure that businesses deal with as few national data protection authorities (DPAs) as possible, preferably only one, while not undermining the right of citizens to seek redress through their local DPA.

The presidency pushed hard to close this discussion at the meeting, but the member states are still some way apart, as was demonstrated during the debate. In particular, Ireland and the UK came out forcefully against the proposed solution. They claimed the proposed setup is too bureaucratic, that the mechanism will be swamped by cases and that a similar fate will befall the European Court of Justice when trying to sort out the day-to-day issues of data protection cases raised throughout the EU. The UK justice minister implored his colleagues to "take a step back" before proceeding down the road proposed by the presidency.

It does, however, appear likely that the council will choose to step forward rather than back. The Italian presidency's proposal does attempt to address numerous and varied concerns raised by member states. It aims to ensure that no DPA is bound by the decisions taken by another DPA; it allows for cases to be escalated for binding resolution by the European Data Protection Board; it provides at least some resolution to the issues of cross-border enforcement, and it gives citizens the option to go to their local DPA to seek redress.

So the one-stop shop may not be exactly what some businesses or member states hoped for, but it is likely to gain approval during 2015. And as the incoming Latvian presidency will ask the naysayers: What is the alternative?

Author

Tags

Comments

Related Stories

Servus aus München!
Further to the CNIL fining Google in late January, which sparked much debate in the privacy community across Europe, February also saw some regulatory echoes in Germany through the Bavarian Data Protection Authority, which announced it was considering fining several companies un...

"Companies will only have to deal with one single supervisory authority, not 28, making it simpler and cheaper for companies to do business in the EU." - European Commission
At the time of the adoption of the EU General Data Protection Regulation, the European Commission touted as the benefit for ...

At the time of the adoption of the EU General Data Protection Regulation, the European Commission touted as the benefit for companies that the GDPR would bring a one-stop-shop enforcement mechanism, whereby the supervisory authority of the "main establishment" of such controller or processor in the ...

Dataguise announced Sagi Leizerov, CIPP/US, has become its new senior vice president of enterprise privacy solutions. Leizerov previously served as chief data solution officer at Prifender and as global privacy leader at Ernst & Young. Leizerov is also a member of the IAPP’s board of directors. ...

A company based in Dublin alleges several tech companies have breached a patent it owns for data transfer and storage technology, The Irish Times reports. Data Scape has launched 15 lawsuits in the U.S. against companies such as Amazon, Dropbox, SAP, Pandora and Spotify. The tech and patent company ...

The IAPP is the largest and most comprehensive global information privacy community and resource. Founded in 2000, the IAPP is a not-for-profit organization that helps define, support and improve the privacy profession globally.

The IAPP is the only place you’ll find a comprehensive body of resources, knowledge and experts to help you navigate the complex landscape of today’s data-driven world. We offer individual, corporate and group memberships, and all members have access to an extensive array of benefits.